Resolved! Global Protect at the inside truted interface
PAN 5060
Outisde untrusted interface 5.5.1.77
Inside trusted interface 10.10.1.1
Wifi guest network inside 10.10.5.0/24
Most Global Protect corporate users go to ourvpn.foo.com 5.5.1.77.
WiFi users normally PAT to the Internet using that same interface
...